0

I have a Security config class that has a SecurityWebFilterChain bean in it. This bean requires a ServerHttpSecuirty instance but spring says that it cannot find any beans of that type though there is one created in the external library (org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfiguration). I have seen this issue on a github page and they said try a different version but I am using spring boot 2.4.5 so it should work.

My Security Config class:

@Configuration
public class SecurityConfig {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http,
                                            JwtTokenProvider tokenProvider,
                                            ReactiveAuthenticationManager reactiveAuthenticationManager) {
    final String TAG_SERVICES = "/api/**";

    return http.csrf(ServerHttpSecurity.CsrfSpec::disable)
            .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
            .authenticationManager(reactiveAuthenticationManager)
            .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
            .authorizeExchange(it -> it
                    .pathMatchers(HttpMethod.POST, TAG_SERVICES).hasAnyRole("USER","ADMIN")
                    .pathMatchers(HttpMethod.PUT, TAG_SERVICES).hasAnyRole("USER","ADMIN")
                    .pathMatchers(HttpMethod.GET, TAG_SERVICES).hasAnyRole("USER","ADMIN")
                    .pathMatchers(HttpMethod.DELETE, TAG_SERVICES).hasAnyRole("USER","ADMIN")
                    .pathMatchers(TAG_SERVICES).authenticated()
                    .anyExchange().permitAll()
            )
            .addFilterAt(new JwtTokenAuthenticationFilter(tokenProvider), SecurityWebFiltersOrder.HTTP_BASIC)
            .build();


}

}

My application class

@ConfigurationPropertiesScan

@SpringBootApplication(exclude={DataSourceAutoConfiguration.class}) public class TestPlatformBackendApplication {

public static void main(String[] args) {
    SpringApplication.run(TestPlatformBackendApplication.class, args);
}

}

External Library Bean:

@Bean({"org.springframework.security.config.annotation.web.reactive.HttpSecurityConfiguration.httpSecurity"})
@Scope("prototype")
ServerHttpSecurity httpSecurity() {
    ServerHttpSecurityConfiguration.ContextAwareServerHttpSecurity http = new ServerHttpSecurityConfiguration.ContextAwareServerHttpSecurity();
    return http.authenticationManager(this.authenticationManager()).headers().and().logout().and();
}
Gregory Curtis
  • 61
  • 1
  • 7
  • you need to add `@EnableWebFluxSecurity` here is an example https://docs.spring.io/spring-security/site/docs/current/reference/html5/#explicit-webflux-security-configuration – Toerktumlare May 15 '21 at 22:43
  • I'm following an example that doesn't use that annotation and it works fine for me. Plus that enables a different type of security when I've tried doing that before. – Gregory Curtis May 16 '21 at 14:59
  • When you dont include the annotation, you are probably getting the default security implementation, when you use the annotation you are overriding the default with your custom one. Read the documentation https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/reactive/EnableWebFluxSecurity.html `Add this annotation to a Configuration class to have Spring Security WebFlux support added. User's can then create one or more ServerHttpSecurity Bean instances.` – Toerktumlare May 16 '21 at 21:42
  • So I added the '@EnableWebFluxSecurity' annotation but i also added 'exclude={SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class}' to my spring boot application annotation and this worked for me. – Gregory Curtis May 17 '21 at 08:30

1 Answers1

3

As Toerktumlare recommended in the comments (1, 2) I added @EnableWebFluxSecurity to my security config:

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

But I also added the following to my exclude in the @SpringBootApplication annotation.

@ConfigurationPropertiesScan
    @SpringBootApplication(exclude={DataSourceAutoConfiguration.class, SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class})
    public class TestPlatformBackendApplication {

    public static void main(String[] args) {
        SpringApplication.run(TestPlatformBackendApplication.class, args);
    }

}
Wai Ha Lee
  • 8,598
  • 83
  • 57
  • 92
Gregory Curtis
  • 61
  • 1
  • 7